Cryptographic Protocols for Electronic Voting

David Wagner, UC BerkeleyDavid Wagner, UC Berkeley

Cryptographic Protocols for Electronic

VotingDavid WagnerUC Berkeley

David Wagner, UC Berkeley

The Problem with Paperless Voting

• Unverified software must be presumed malicious• How do you know whether your vote will be counted

correctly, when voting machine software can record one thing and tell you another?

No rational basis for trust in election results



Problem Statement

• The problem: With today’s paperless voting machines, the integrity of the election relies completely on software.

• Goal: The integrity of the election should not be dependent upon the correctness of software.


Security Goals for an Election

• Integrity: No election fraud

• Transparency: Everyone must be able to verify that the election was conducted properly

• Privacy: No one learns how the voter has voted

• Secret ballot: Voter cannot prove how she voted


In This Talk…

• “The early years”– How to prove ballots were counted correctly

(using crypto)– But: fails to address ballot preparation

• Modern cryptographic voting systems– End-to-end integrity: proving that ballots were cast

and counted as the voter intended (using crypto)


Featuring Work By…

Andy NeffDavid Chaum

and

Josh Benaloh Peter RyanSteve Schneider and many others

All ideas in this talk were discovered by others.Any errors are my fault.


Cryptographic Voting with Trusted Server

Epk( v(1) )

Epk( v(n) )v((1)) v((n))


El Gamal Encryption

• Encrypt votes using El Gamal:E(v) = (gr, hr v) r ← Z/qZ

• Ciphertexts can be blinded (re-randomized):Blind(x, y) = (gs x, hs y) s ← Z/qZ

• Blinding forms a group:Blinds(Blinds’(c)) = Blinds+s’(c)

• Supports threshold decryption


Re-encryption Mixnet

c(i) = E(v(i))

d(1) = Blind(c(2))

d(4) = Blind(c(4))

d(2) = Blind(c(3))

d(3) = Blind(c(1))

d(i) = Blind(c((i)))

c(1)

c(2)

c(3)

c(4)


(and all necessary blinding factors)

ZK Proof of Correct Shuffling [Benaloh]

• Given: c(1..n), d(1..n)• To prove: c ~ d (i.e., d = c)

Prover Verifier

t = c (for ← Sn)

“prove c ~ t” or “prove d ~ t”

or -1


Distributing Trust During Vote-Counting

c 1 c

1

2 1 c

2

Trustee #1 Trustee #2

3 2 1 c

3

Trustee #3 d

Trustees perform threshold decryption of d, and provideZK proof of correct mixing and correct decryption.

Unconditional integrity (even if all trustees collude).Computational privacy, assuming one honest trustee.


Criticisms of Early Voting Protocols

• Early protocols got the threat model wrong.– In reality, trust in voter’s computer is unwarranted.

• Early protocols ignored ballot preparation—which turns out to be the hard problem.


A Better Voting Machine [Neff]

Voting machine with untrusted software Receipt(enables voter to check that their

vote was counted as intended)


Proof of Equality

Prover Verifier“Oh yeah? Prove it!”

“Both envelopes contain the same number”

“They both contain 42”

“Show me what’s in the left one”


Proof of Equality

Prover Verifier“Oh yeah? Prove it!”

“Both envelopes contain the same number”

“They both contain 42”

“Show me what’s in the left one”

42


Notation

b

b

b

= encryption of b (e.g., = (gr, hr gb))= commitment to b

= randomness used in (e.g., = (r, b))= opened commitment to b

b

b


A Special Ballot Encoding

GIULIANI

CLINTON 1 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Unencrypted ballot:

This is a votefor Clinton


Encrypting The Ballot

GIULIANI

CLINTON 1 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:

An encrypted votefor Clinton


Encrypting The Ballot

GIULIANI

CLINTON 1 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:


Proving the Ballot Was Encrypted Correctly

GIULIANI

CLINTON 1 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:

Machine proves both bits are the same.

“Open up the right commitment”

“Both bits are 1”



GIULIANI

CLINTON 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:

Machine proves both bits are the same.

“Open up the right commitment”

“Both bits are 1”

1



GIULIANI

CLINTON 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:

1



GIULIANI

CLINTON 1 0 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:

Machine proves bothbits are the same.

1



GIULIANI

CLINTON 1 0 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:


1 0



GIULIANI

CLINTON 1 0 0 0 0

0 1 1 0 1 0 0 1

Encrypted ballot:


1 0 0



GIULIANI

CLINTON 1 0 0 0

0 1 1 0 1 0 0 1

Partially encrypted ballot:

1 0 0 0 (A transcript of an interactive proof thatthis contains a valid vote for Clinton)


Receipts That Reveal Nothing

GIULIANI

CLINTON 1 0 0 0

0 1

Printed on the receipt:

1 0 0 0

1 01 0 10

(A fake transcript of an interactive proofthat this contains a valid vote for Giuliani)


Putting it Together: Neff’s Scheme

Machine interactively proves that the encrypted ballot accurately captures the voter’s intent

Machine prints (real and fake) proof-transcripts onto a paper receipt retained by the voter

Machine publicly posts image of receipt Voter checks that her receipt was publicly posted Trustees decrypt and tally all posted receipts using

re-encryption mixes and threshold decryption


Security Properties of [Neff]

• Integrity: Voters can use their receipt to confirm that their votes were recorded and counted as intended

• Privacy: Voters cannot sell their vote or be coerced(the receipt provides no information about their vote,since all transcripts on receipt can be simulated)

• No reliance on software!


A Better Paper Ballot [CRS]

Epk(o)

OFFICIAL BALLOT

Candidates listed inrandom order o

PRESIDENT

RUDY GIULIANIHILARY CLINTON

Right halfLeft half


A Better Paper Ballot [CRS]

Epk(o)

OFFICIAL BALLOT

PRESIDENT



A Better Paper Ballot, With Receipt

Epk(o)

OFFICIAL BALLOT

PRESIDENT


Epk(o)

Carbon paper

Top layer


A Marked Ballot

Epk(o)

OFFICIAL BALLOT

PRESIDENT


Epk(o)


The Receipt Is Torn Off

Epk(o)

OFFICIAL BALLOT

PRESIDENT


Epk(o)

Retained by voter

Deposited into ballot box


• The ballot is deposited into the ballot box• The left side of the ballot is digitally scanned and this

image is posted publicly• Ballots can be hand-counted or

electronically counted

Ballot box

Casting the Ballot


Verfiably Correct Tallying

• Voters check that a picture of their receipt appears on the public bulletin board

• Trustees shuffle and decrypt receipts using re-encryption mixes and threshold decryption

• Everyone verifies that trustees performed tallying correctly by checking ZK proofs


Security Properties of [CRS]

• Integrity: Voters can use their receipt to confirm that their votes were recorded and counted as intended

• Privacy: Voters cannot sell their vote or be coerced(the receipt provides no information about their vote)

• No reliance on software!


Potential Challenges in the Real World

• Human factors and voter training(voters will have to learn how to use new ballots;will voters make more mistakes?)

• Accessibility(lacks verifiability for visually impaired voters)

• Public confidence in hairy math(most voters and officials won’t understand the crypto)


In Summary

• Can build voting machines whose correctness is—at least in principle—not dependent on software.

• Practical feasibility still uncertain, but worth a shot.An exciting field with many beautiful ideas.

• Humans can verify that complex cryptographic computations were performed correctly. Wow!

Documents

Cryptographic Protocols for Electronic Voting